01 Before you can create your own Customer-Managed Encryption Key (CMEK), you have to provision a key ring. A Cloud KMS key ring is a grouping of cryptographic keys made available for organizational purposes in a specific Google Cloud location. Run kms keyrings create command (Windows/macOS/Linux) to create a new Cloud KMS key ring in the specified location. If the keys deployed later within this key ring will be used to encrypt resources in a given region, select that region as the key ring location:
gcloud kms keyrings create cc-cloud-repo-key-ring
--location=us
--project=cc-web-project-123123
--format="table(name)"
02 The command output should return the resource name of the newly created key ring:
NAME
projects/cc-web-project-123123/locations/us/keyRings/cc-cloud-repo-key-ring
03 Run kms keys create command (Windows/macOS/Linux) to create a new Customer-Managed Encryption Key (CMEK) within the Cloud KMS key ring created at the previous steps:
gcloud kms keys create cc-cloud-repo-kms-key
--location=us
--keyring=cc-cloud-repo-key-ring
--purpose=encryption
--protection-level=software
--rotation-period=90d
--next-rotation-time=2025-01-25T10:00:00.0000Z
--format="table(name)"
04 The command output should return the full resource name of the new Customer-Managed Encryption Key:
NAME
projects/cc-web-project-123123/locations/us/keyRings/cc-cloud-repo-key-ring/cryptoKeys/cc-cloud-repo-kms-key
05 Run kms keys add-iam-policy-binding command (Windows/macOS/Linux) to assign the Cloud KMS CryptoKey Encrypter/Decrypter role to the required service account:
gcloud kms keys add-iam-policy-binding cc-cloud-repo-kms-key
--keyring cc-cloud-repo-key-ring
--location us-central1
--member='serviceAccount:service-<project-number>@gcp-sa-artifactregistry.iam.gserviceaccount.com'
--role roles/cloudkms.cryptoKeyEncrypterDecrypter
06 The command output should return the updated IAM policy (YAML format):
Updated IAM policy for key [cc-cloud-repo-kms-key].
bindings:
- members:
- serviceAccount:service-<project-number>@gcp-sa-artifactregistry.iam.gserviceaccount.com
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
etag: ABCD1234ABCD1234
version: 1
07 Run the artifacts repositories create command (OSX/Linux/UNIX) to create a new, CMEK-encrypted Artifact Registry repository using your own Cloud KMS Customer-Managed Encryption Key (CMEK):
gcloud artifacts repositories create new-cloud-run-source-deploy
--repository-format=docker
--location=us-central1
--kms-key="projects/cc-web-project-123123/locations/us/keyRings/cc-cloud-repo-key-ring/cryptoKeys/cc-cloud-repo-kms-key"
--async
08 The command output should return the artifacts repositories create command request information:
Create request issued for: [new-cloud-run-source-deploy]
Check operation [projects/cc-web-project-123123/locations/us-central1/operations/abcdabcd-1234-abcd-1234-abcd1234abcd] for status.
09 Repeat steps no. 7 and 8 for each Artifact Registry repository that you want to re-create, available in the selected GCP project.
10 Repeat steps no. 1 – 9 for each GCP project deployed in your Google Cloud account.